Stefano Tempesta Secure Machine Learning with SQL Server Always Encrypted with Secure Enclaves

Protecting Data Through its Lifecycle Existing New In use Protect/Encrypt data that is in use during computation Industry-first solution: Always Encrypted At rest Encrypt inactive data when stored in database files, backup files, log files, etc. Examples include: SQL Server Transparent Database Encryption (TDE) In transit Encrypt data that is flowing between applications and the database Examples include: TLS

Confidential Computing using Enclaves Enclave – an isolated region of memory. Provides a trusted execution environment. Data stored inside the enclave cannot be accessed outside of the enclave.​ Code running inside enclave must be signed and cannot be modified​. Code Data App App Operating System Hypervisor Hardware

Intel Software Guard Extension (SGX) Hypervisor

azure.microsoft.com/solutions/confidential-compute

SQL Server 2019 Always Encrypted with Secure Enclaves

Always Encrypted with Secure Enclaves Enhanced Client Driver plaintext ciphertext SQL C: \ Protects sensitive data in use while preserving rich queries and providing in-place encryption plaintext Enclave Secure computations inside an enclave SQL Server Engine delegates operations on encrypted to a secure enclave, where the data can be safely decrypted and processed Rich Queries Supports pattern matching (LIKE), range queries (<, >, etc.), and indexing on encrypted columns In-place Encryption The secure enclave supports initial data encryption and key rotation in-place - without moving the data out of the database

Look inside an Enclave Browsing the memory of an enclave with a debugger reveals nothing

Enhanced Client Driver Enclave Attestation How do you (and your app) know the enclave can be trusted? By using an attestation protocol and an attestation service Attestation Service Enhanced Client Driver plaintext ciphertext SQL C: \ plaintext Enclave

Enhanced Client Driver Secure Tunnel How does the enclave get the keys to encrypt/decrypt data? Via a secure tunnel: the client driver and enclave negotiate a session key The client driver Encrypts columns encryption key with the session key Signs queries that require enclave computations Enclave plaintext Enhanced Client Driver ciphertext SQL C: \

Attestation using Host Guardian Service What is attestation? A process to assess the health/integrity of a remote service, OS or workload Leverages industry standard security technologies: Trust Platform Module (TPM) V2 UEFI secure boot Measured boot (TCGlog) What is the Host Guardian Service (HGS)? Windows Server 2016/2019 role Provides health attestation and key release Currently used by SQL and Hyper-V

Attestation modes HGS supports a few different attestation modes The mode of attestation does NOT affect how the workload works. It only affects the level of trust and integrity a caller can place in the workload. 3 attestation modes Active Directory (admin) mode Recommended use cases: Lab, PoC Host Key mode TPM or hardware mode (recommended) Recommended use cases: Lab, PoC, production SQL HGS Trust

Open Enclave SDK openenclave.io github.com/Microsoft/openenclave

Multiparty Machine Learning

ML.NET ML.NET (dot.net/ml) Multi-class Classification Single source: 80% accuracy Multiple sources: 96% accuracy { "risk": 0.0, "age": 0, "sex": 0, "smoker": false, "chestPain": 0, "bloodPressure": 0, "serumCholestoral": 0, "fastingBloodSugar": false, "maxHeartRate": 0 } { "score": 0.0, "accuracy": 0.0 } Medical Record Output: risk class

@stefanotempesta /in/stefanotempesta www.blogchain.space THANK YOU!

GOLD Silver Bronze